VED-501 CSOC Sentinel

terraform/endpoints.tf

@@ -115,6 +115,9 @@ module "api_gateway" {
   environment     = var.environment
   sub_environment = var.sub_environment
   oas             = local.oas
+  aws_region      = var.aws_region
+  immunisation_account_id = var.immunisation_account_id
+  csoc_account_id = var.csoc_account_id
 }
 
 resource "aws_lambda_permission" "api_gw" {

terraform/environments/dev/int/variables.tfvars

@@ -1,6 +1,7 @@
 environment                       = "dev"
 immunisation_account_id           = "345594581768"
 dspp_core_account_id              = "603871901111"
+csoc_account_id                   = "693466633220"
 pds_environment                   = "int"
 batch_error_notifications_enabled = true
 pds_check_enabled                 = false

terraform/environments/dev/internal-dev/variables.tfvars

@@ -1,6 +1,7 @@
 environment                       = "dev"
 immunisation_account_id           = "345594581768"
 dspp_core_account_id              = "603871901111"
+csoc_account_id                   = "693466633220"
 pds_environment                   = "int"
 batch_error_notifications_enabled = true
 pds_check_enabled                 = true

terraform/environments/dev/pr/variables.tfvars

@@ -1,6 +1,7 @@
 environment                       = "dev"
 immunisation_account_id           = "345594581768"
 dspp_core_account_id              = "603871901111"
+csoc_account_id                   = "693466633220"
 pds_environment                   = "int"
 batch_error_notifications_enabled = false
 pds_check_enabled                 = true

terraform/environments/dev/ref/variables.tfvars

@@ -1,6 +1,7 @@
 environment                       = "dev"
 immunisation_account_id           = "345594581768"
 dspp_core_account_id              = "603871901111"
+csoc_account_id                   = "693466633220"
 pds_environment                   = "ref"
 batch_error_notifications_enabled = true
 pds_check_enabled                 = true

terraform/modules/api_gateway/api.tf

@@ -21,7 +21,7 @@ resource "aws_apigatewayv2_stage" "default" {
   }
   access_log_settings {
     destination_arn = aws_cloudwatch_log_group.api_access_log.arn
-    format          = "{ \"requestId\":\"$context.requestId\", \"extendedRequestId\":\"$context.extendedRequestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\", \"requestTime\":\"$context.requestTime\", \"httpMethod\":\"$context.httpMethod\", \"resourcePath\":\"$context.resourcePath\", \"status\":\"$context.status\", \"protocol\":\"$context.protocol\",  \"responseLength\":\"$context.responseLength\", \"authorizerError\":\"$context.authorizer.error\", \"authorizerStatus\":\"$context.authorizer.status\", \"requestIsValid\":\"$context.authorizer.is_valid\"\"environment\":\"$context.authorizer.environment\" }"
+    format          = "{ \"requestId\":\"$context.requestId\", \"extendedRequestId\":\"$context.extendedRequestId\", \"ip\":\"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\", \"requestTime\":\"$context.requestTime\", \"httpMethod\":\"$context.httpMethod\", \"resourcePath\":\"$context.resourcePath\", \"status\":\"$context.status\", \"protocol\":\"$context.protocol\", \"responseLength\":\"$context.responseLength\", \"accountId\":\"$context.accountId\", \"apiId\":\"$context.apiId\", \"stage\":\"$context.stage\", \"authorizerError\":\"$context.authorizer.error\", \"authorizerStatus\":\"$context.authorizer.status\", \"requestIsValid\":\"$context.authorizer.is_valid\", \"environment\":\"$context.authorizer.environment\" }"
   }
 
   # Bug in terraform-aws-provider with perpetual diff

terraform/modules/api_gateway/logs.tf

@@ -53,3 +53,56 @@ resource "aws_iam_role_policy" "cloudwatch" {
 }
 EOF
 }
+
+resource "aws_iam_role_policy_attachment" "api_logs_apigateway_policy" {
+  role       = aws_iam_role.api_cloudwatch.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
+}
+
+resource "aws_iam_policy" "api_logs_subscription_policy" {
+  name = "${var.short_prefix}-api-logs-subscription-policy"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid = "AllowPutAPIGSubFilter"
+        Effect = "Allow"
+        Action = [
+          "logs:PutSubscriptionFilter"
+        ]
+        Resource = [
+          "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/vendedlogs/${aws_apigatewayv2_api.service_api.id}/${var.sub_environment}:*",
+          "arn:aws:logs:${var.aws_region}:${var.csoc_account_id}:destination:api_gateway_log_destination"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "api_logs_subscription_policy" {
+  role       = aws_iam_role.api_cloudwatch.name
+  policy_arn = aws_iam_policy.api_logs_subscription_policy.arn
+}
+
+resource "aws_iam_role" "api_logs_subscription_role" {
+  name = "${var.short_prefix}-api-logs-subscription-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Effect = "Allow",
+      Sid    = "",
+      Principal = {
+        Service = "logs.${var.aws_region}.amazonaws.com"
+      },
+      Action = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_cloudwatch_log_subscription_filter" "api_logs_subscription_logfilter" {
+  name            = "${var.short_prefix}-api-logs-subscription-logfilter"
+  log_group_name  = aws_cloudwatch_log_group.api_access_log.name
+  filter_pattern  = ""
+  destination_arn = "arn:aws:logs:${var.aws_region}:${var.csoc_account_id}:destination:api_gateway_log_destination"
+  role_arn        = aws_iam_role.api_logs_subscription_role.arn
+}

terraform/modules/api_gateway/variables.tf

@@ -5,3 +5,6 @@ variable "api_domain_name" {}
 variable "environment" {}
 variable "sub_environment" {}
 variable "oas" {}
+variable "aws_region" {}
+variable "immunisation_account_id" {}
+variable "csoc_account_id" {}

terraform/variables.tf

@@ -6,6 +6,7 @@ variable "sub_environment" {
 
 variable "immunisation_account_id" {}
 variable "dspp_core_account_id" {}
+variable "csoc_account_id" {}
 
 variable "create_mesh_processor" {
   default = false